How phishing-resistant MFA works
Traditional MFA factors, one-time codes from apps or SMS and push approvals, share a weakness: the user can be tricked into handing the proof to the wrong party. A convincing fake login page relays the password and the code to the real site in seconds, and a flood of push notifications eventually gets an accidental approval. The factor is real; the destination is not verified.
Phishing-resistant MFA removes the human from that verification. With FIDO2 and WebAuthn, the authenticator holds a private key and signs a challenge that is cryptographically bound to the website origin. If the user is on a look-alike domain, the signature simply does not match and authentication fails, no matter how convinced the user is. There is no code to read out, no prompt to approve blindly and no shared secret stored on the server to steal. Certificate-based smart cards achieve the same property through mutual TLS.
Why it matters
Phishing has industrialized. Kits sold as a service place a transparent proxy between the victim and the real site, capturing passwords, one-time codes and the resulting session cookie in real time, which defeats most conventional MFA without any sophistication from the operator. MFA fatigue attacks have compromised well-defended organizations simply by annoying one employee at the right moment.
This shift is reflected in guidance and regulation: security agencies and frameworks increasingly name phishing-resistant MFA explicitly, requiring it for administrators, remote access and high-impact systems. For organizations, the practical difference is stark: with origin-bound factors, the entire class of proxy phishing, code-relay and prompt-bombing attacks stops working, rather than merely becoming harder.
Adopting phishing-resistant MFA
Most organizations phase it in. Administrators, finance roles and remote access come first, since those accounts are targeted hardest. Passkeys make the rollout easier than older hardware-token programs: platform authenticators built into phones and laptops mean many users need no extra device, while synced passkeys reduce lockout risk when hardware changes.
Two details decide real-world resistance. First, fallback methods: if a user can still fall back to SMS codes, an attacker will simply trigger that path, so weaker factors must be phased out or tightly restricted. Second, registration and recovery flows must be as protected as login itself, since attackers increasingly attack enrollment instead. Monosign supports this transition by offering FIDO2 passkeys alongside classic MFA with adaptive step-up, letting teams migrate group by group without a hard cutover.